L.P.H. van Belle
2020-Mar-11 10:46 UTC
[Samba] Due to CVE in windows, disable SMB3 compression.
https://portal.msrc.micro...idance/advisory/adv200005 Published: 03/10/2020 ? Workarounds The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place: Disable SMBv3 compression You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force Notes: No reboot is needed after making the change. This workaround does not prevent exploitation of SMB clients. You can disable the workaround with the PowerShell command below. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force ?
L.P.H. van Belle
2020-Mar-11 10:50 UTC
[Samba] Due to CVE in windows, disable SMB3 compression.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005 The full link.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: woensdag 11 maart 2020 11:46 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Due to CVE in windows, disable SMB3 compression. > > https://portal.msrc.micro...idance/advisory/adv200005 > Published: 03/10/2020 > ? > Workarounds > > The following workaround may be helpful in your situation. In > all cases, Microsoft strongly recommends that you install the > updates for this vulnerability as soon as they become > available even if you plan to leave this workaround in place: > > Disable SMBv3 compression > > You can disable compression to block unauthenticated > attackers from exploiting the vulnerability against an SMBv3 > Server with the PowerShell command below. > > Set-ItemProperty -Path > "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Paramete > rs" DisableCompression -Type DWORD -Value 1 -Force > > Notes: > > No reboot is needed after making the change. > This workaround does not prevent exploitation of SMB clients. > > You can disable the workaround with the PowerShell command below. > > Set-ItemProperty -Path > "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Paramete > rs" DisableCompression -Type DWORD -Value 0 -Force > ? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Stefan G. Weichinger
2020-Mar-11 13:45 UTC
[Samba] Due to CVE in windows, disable SMB3 compression.
Am 11.03.20 um 11:46 schrieb L.P.H. van Belle via samba:> https://portal.msrc.micro...idance/advisory/adv200005 > Published: 03/10/2020 > ? > WorkaroundsThese workarounds are only applicable on MS Windows server machines, right? Is Samba even affected? - This leads (me) to another topic which I want to ask for quite some time now (maybe another thread would be better): What about the AD-vulnerability in general that attackers like the emotet-hackers exploit? Is a samba-DC-based AD safer or stronger than a windows-DC-based AD?
Jeremy Allison
2020-Mar-11 16:24 UTC
[Samba] Due to CVE in windows, disable SMB3 compression.
On Wed, Mar 11, 2020 at 02:45:09PM +0100, Stefan G. Weichinger via samba wrote:> Am 11.03.20 um 11:46 schrieb L.P.H. van Belle via samba: > > https://portal.msrc.micro...idance/advisory/adv200005 > > Published: 03/10/2020 > > ? > > Workarounds > > These workarounds are only applicable on MS Windows server machines, right? > > Is Samba even affected?What what I understand, no - thank goodness. Sometimes it's an advantage in being a little slower adding features :-). Looks like an error in the underlying compression library code to me - that can be really nasty. Fuzz, fuzz and fuzz again.> This leads (me) to another topic which I want to ask for quite some time > now (maybe another thread would be better): > > What about the AD-vulnerability in general that attackers like the > emotet-hackers exploit? > > Is a samba-DC-based AD safer or stronger than a windows-DC-based AD?Hard question to answer. The safest thing to say is that we'll have *different* bugs to a Windows based AD. So not putting all your DC eggs in one basket might be a good idea. Jeremy.